Industry groups across sectors are raising concerns with various aspects of the National Institute of Standards and Technology’s approach to managing supply-chain risks in a proposed update to the voluntary framework of cybersecurity standards.

Specifically, groups say the NIST plan fails to take into account the interconnectedness of vendor services and downplays the potential effect on small businesses, among other issues.

More than 100 industry groups submitted comments to NIST on its proposed update of the cybersecurity framework – “version 1.1” – which includes new provisions on metrics for measuring effective use of the framework along with a new section on managing supply-chain risks. The comments lay out issues that will likely be debated at a May 16-17 public workshop at NIST’s Gaithersburg, MD, headquarters on the proposed framework update….SOURCE